Method and system of resiliency in cloud-delivered SD-WAN

ABSTRACT

In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.

CLAIM OF BENEFIT TO PRIOR APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 16/724,154, filed Dec. 20, 2019, now published as U.S. Patent Publication 2020/0127905. U.S. patent application Ser. No. 16/724,154 is a continuation of U.S. patent application Ser. No. 15/701,115, filed Sep. 11, 2017, now issued as U.S. Pat. No. 10,523,539. U.S. patent application Ser. No. 15/701,115 claims priority to U.S. Provisional Patent Application No. 62/523,477, filed on Jun. 22, 2017. U.S. patent application Ser. No. 16/724,154, now published as U.S. Patent Publication 2020/0127905, U.S. patent application Ser. No. 15/701,115, now issued as U.S. Pat. No. 10,523,539, and U.S. Provisional Patent Application 62/523,477 are incorporated by reference in their entirety.

FIELD OF THE INVENTION

This application relates generally to computer networking, and more specifically to a system, article of manufacture and method of resiliency in cloud-delivered SD-WAN.

DESCRIPTION OF THE RELATED ART

Traditional methods of ensuring WAN resiliency have focused on two aspects. First, resiliency for traffic between two enterprise sites (not destined for the public Internet). Second, for subsequent flows towards the public Internet (not guaranteeing session continuity). The methods describe here provide for full resiliency for traffic destined for the public Internet including the preservation of existing flows.

BRIEF SUMMARY OF THE INVENTION

In one aspect, a computerized method includes the step of providing process monitor in a Gateway. The method includes the step of, with the process monitor, launching a Gateway Daemon (GWD). The GWD runs a GWD process that implements a Network Address Translation (NAT) process. The NAT process includes receiving a set of data packets from one or more Edge devices and forwarding the set of data packets to a public Internet. The method includes the step of receiving another set of data packets from the public Internet and forwarding the other set of data packets to the one or more Edge devices. The method includes the step of launching a Network Address Translation daemon (NATD). The method includes the step of detecting that the GWD process is interrupted; moving the NAT process to the NATD.

In another aspect, a computerized method is implemented when a public Internet flow is initiated from an Edge device connected to a Gateway system. The method includes the step of, with a GWD, looking up in a local hash table a NAT translation for a data packet's five tuple. The method includes the step of detecting that no NAT translation is extant for the data packet's five tuple. The method includes the step of creating the NAT translation for the data packet's five tuple. The method includes the step of creating returning the NAT translation for the data packet's five tuple to the Gateway system; storing the NAT translation locally in the Gateway system.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example process of implementing resiliency in an SD-WAN, according to some embodiments.

FIG. 2 illustrates an example of a gateway data plane running in a GWD process, according to some embodiments.

FIG. 3 illustrates an example of multiple physical or virtual instances of the gateway running and fronted by a single NATO daemon, according to some embodiments.

FIG. 4 illustrates an example of cloud traffic can be routed through an external CWS service to enable security scanning and other service insertion on the traffic before it exits to the public internet, according to some embodiments.

FIG. 5 depicts an exemplary computing system that can be configured to perform any one of the processes provided herein.

The Figures described above are a representative set, and are not exhaustive with respect to embodying the invention.

DESCRIPTION

Disclosed are a system, method, and article of manufacture for resiliency in cloud-delivered SD-WAN. The following description is presented to enable a person of ordinary skill in the art to make and use the various embodiments. Descriptions of specific devices, techniques, and applications are provided only as examples. Various modifications to the examples described herein can be readily apparent to those of ordinary skill in the art, and the general principles defined herein may be applied to other examples and applications without departing from the spirit and scope of the various embodiments.

Reference throughout this specification to “one embodiment,” “an embodiment,” ‘one example,’ or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art can recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.

The schematic flow chart diagrams included herein are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, and they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.

Definitions

Example definitions for some embodiments are now provided.

Border Gateway Protocol (BGP) can be a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.

Cloud computing can involve deploying groups of remote servers and/or software networks that allow centralized data storage and online access to computer services or resources. These groups of remote serves and/or software networks can be a collection of remote computing services.

Daemon can be a background process.

Data center, a physical location housing computing-related gear.

Dynamic tunneling is a transparent mechanism available for applications (e.g. that support the SOCKS4 or SOCKS5 client protocol).

Edge device can be a device that provides an entry point into enterprise or service provider core networks. An edge device can be software running in a virtual machine (VM) located in a branch office and/or customer premises.

Five (5) tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use.

Flow can be a grouping of packets that match a five (5) tuple which is a combination of Source IP Address (SIP), Destination IP Address (DIP), L4 Source Port (SPORT) and L4 Destination Port (DPORT) and the L4 protocol (PROTO).

Gateway can be a node (e.g. a router) on a computer network that serves as an access point to another network.

Internet Protocol Security (IPsec) can be a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. In IPsec tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).

Inter-process communication (IPC) can include mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categorized as clients and servers, where the client requests data and the server responds to client requests.

Network Address Translation (NAT) is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.

Orchestrator can include a software component that provides multi-tenant and role based centralized configuration management and visibility.

Open Shortest Path First (OSPF) can be a routing protocol for Internet Protocol (IP) networks. OSPF can use a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS).

Software-defined networking in a wide area network (SD-WAN) a specific application of software-defined networking (SDN) technology applied to WAN connections, which are used to connect enterprise networks, including branch offices and data centers—over large geographic distances. An SD-WAN can simplify the management and operation of a WAN by decoupling the networking hardware from its control mechanism.

Tunneling protocol can allow a network, user to access or provide a network service that the underlying network does not support or provide directly.

Virtual private network (VPN) can extend a private network across a public network, such as the Internet. It can enable users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus benefit from the functionality, security and management policies of the private network.

Additional example definitions are provided herein.

Examples Methods

FIG. 1 illustrates an example process of implementing resiliency in an SD-WAN, according to some embodiments. In step 102, it can be detected that a new Internet flow is initiated from an Edge device(s) connected to a Gateway. In step 104, a gateway data daemon (GWD) can look up in a local hash table to determine if a NAT translation is available for the data packet's five tuple. If no NAT translation is found, then, step 106, the GWD can query a Network Address Translation Daemon (NATD) for a new translation. If the NATD has previously translated the five (5) tuple, then, in step 108, the NATD can return the same translation that was provided before, thus ensuring session continuity. If the NATD has not previously translated the five tuple, in step 110, it can create a new translation and return it. In step 112, the new translation can be stored locally for future retrieval. When a flow is deleted on the Gateway, a signal can be sent to the NATD to delete the translation and free the associated memory in step 114.

Example Systems

FIG. 2 illustrates an example system 200 of a GWD 202 running in a GWD process 204, according to some embodiments. It is noted that GWD 202 can be a daemon. GWD process 204 can be a user-space process running in Linux. In one example, GWD can include a data plane (e.g. VeloCloue data plane, etc.) and control plane software.

It is noted that the data plane includes the forwarding information base (FIB) and mechanisms for transmitting packets. The control plane includes the routing information base (RIB) and mechanisms for instructing Edges how to transmit packets.

In a single device case, GWD can run in a GWD process 204. GWD process 204 can receive data packets (e.g. all data packets) from the various Edge devices and forward them to the Internet, and vice versa. GWD process 204 can be interrupted for multiple reasons. For example, GWD process 204 can encounter a software fault (e.g. a crash). GWD process 204 can be restarted for troubleshooting. GWD process 204 can be restarted as part of a routine software upgrade. In these scenarios, data traffic can continue to flow uninterrupted. This can be achieved by moving the NAT process and its associated state outside the GWD context (e.g. to NATO 208). Accordingly, FIG. 2 illustrates a simplified process diagram of processes running within the Gateway 202. The process monitor (e.g. vc_procmon 210) can launch and manage two separate services independently: GWD and NATD 208. NATD 208 can be a user-space process running in Linux which contains the NAT software (e.g. VeloCloud® NAT software, etc.). NATO 208 stores its own state and communicates via IPC with GWD.

When a new Internet flow is initiated from one of the Edge devices connected to Gateway 202 the following steps can be implemented. In one step, GWD can look up in a local hash table to see if a NAT translation is available for the packet's five tuple. If no NAT translation is found, then GWD queries NATD 208 for a new translation. If NATO 208 has previously translated the five (5) tuple, then NATD can return the same translation that was provided before, ensuring session continuity. If NATD 208 has not previously translated the five tuple, it can create a new translation and return it. The new translation can be stored locally for future retrieval. When a flow is deleted on Gateway 202, a signal can be sent to NATD 208 to delete the translation and free the associated memory.

FIG. 3 illustrates an example system 300 of multiple physical or virtual instances of one more gateways 308 and 310 running and fronted by a single NATD daemon 306, according to some embodiments. This can allow for horizontal scaling of resources to provide internet connectivity from a larger number of branch devices. NATO daemon 306 can be implemented in load balancer 302. A process monitor (e.g. vc_procmon 304, 316, and 318) can launch and manage associated services (e.g. GWD 312 and 314, NATO daemon 306). In this scenario, the same NATO instance provides resiliency for NAT translations to multiple GWD instances using the same steps defined above.

It is noted that, in some embodiments, a single instance of the gateway (GWD) can have a finite number of Edge devices that can connect to it before it runs out of resources. In order to expand scale beyond this limit, a cluster of multiple gateway instances can be created and load can be distributed across those instances. These instances can share a single NATD to ensure that even if load is moved from one gateway instance to another, the session continuity is maintained.

FIG. 4 illustrates an example of cloud traffic routed through an external Cloud Web Security (CWS) service to enable security scanning and other service insertion on the traffic before it exits to the public Internet, according to some embodiments. In this scenario, the same NATD instance provides resiliency for NAT translations to multiple GWD instances using the same steps provided supra. In addition to routing traffic via the cloud gateway 410, cloud traffic can be routed through an external Cloud Web Security (CWS) 412 service to enable security scanning and other service insertion on the traffic before it exits to the public Internet. There are two mechanisms provided for connecting to the cloud service, via an aggregated IPsec tunnel through Gateway 410 and via an IPsec tunnel direct from the Edge 402 itself. By tracking the state of various connectivity points, this provides full redundancy for internet traffic even if any one of the tunnels fails.

There can be three tunnels established in the topology of FIG. 5 which enable the Edge 402 to reach the CWS 412 service. This tunnel is from the Gateway 410 to the CWS 412 service. This tunnel is established per Gateway 410 and one or more edges are assigned to this tunnel via profile, allowing edges to take advantage of the Edge-Gateway Multipath Method and ensure traffic resiliency in reaching the Gateway 410. This tunnel is established from the Edge directly to the CWS 412 service over ISP A 404. This tunnel is established from the Edge directly to the CWS 412 service over ISP B 406. Edge 402 is able to dynamically shift traffic per-packet over the optimal tunnel based on continuous measurement of tunnel state, latency, traffic priority, congestion, etc.

Link Resiliency is now discussed. For resiliency of the individual links, multiple modes are provided. The method can include an Edge-Gateway Multipath Method where both links are considered active. In this topology, the reactivity time for blackout or brownout conditions is three hundred (300) ms and approximate bandwidth consumption on the second link is one thousand two-hundred and fifty (1250) MB per month.

Two additional modes can be provided which reduce the reactivity time but save on bandwidth consumption. The first mode provided is a pure backup mode, wherein tunnels are not established on the WAN link and ICMP probes alone are used to monitor link states. The link is still included in the link state machine tracking availability to determine availability for failover. This availability is reported as status on an Orchestrator and used to generate link up/down alerts though tunnels are not active. In this mode, usage is only twenty (20) MB per month but it may take up to two (2) seconds for the link to take over in case of blackout of the primary link and there is no brownout protection.

In a second mode, the link can be maintained in a “hot standby” mode wherein the tunnels are active however all MP control traffic is not sent across the link. In this mode, reactivity time can be seven-hundred milliseconds (700 ms) for blackout or brownout conditions and the usage is approximately two-hundred and fifty (250) MB per month.

Various cloud resiliency examples are now discussed. For cloud traffic, it can be that traffic continuity is maintained through a single peering, point due to NAT. However, the resiliency methods described above (e.g. multiple devices) can also be applicable to cloud traffic. Because sessions are translated to a given public Internet Protocol (IP) address, resiliency that utilizes multiple devices and instead resiliency behind a single NAT IP address is important. In this regard, the Gateway has the ability to provide resilient connectivity in a single or multi-device topology while preserving NAT state.

Additional Exemplary Computer Architecture and Systems

FIG. 5 depicts an exemplary computing system 500 that can be configured to perform any one of the processes provided herein. In this context, computing system 500 may include, for example, a processor, memory, storage, and I/O devices (e.g., monitor, keyboard, disk drive, Internet connection, etc.). However, computing system 500 may include circuitry or other specialized hardware for carrying out some or all aspects of the processes. In some operational settings, computing system 500 may be configured as a system that includes one or more units, each of which is configured to carry out some aspects of the processes either in software, hardware, or some combination thereof.

FIG. 5 depicts computing system 500 with a number of components that may be used to perform any of the processes described herein. The main system 502 includes a motherboard 504 having an I/O section 506, one or more central processing units (CPU) 508, and a memory section 510, which may have a flash memory card 512 related to it. The I/O section 506 can be connected to a display 514, a keyboard and/or other user input (not shown), a disk storage unit 516, and a media drive unit 518. The media drive unit 518 can read/write a computer-readable medium 520, which can contain programs 522 and/or data. Computing system 500 can include a web browser. Moreover, it is noted that computing system 500 can be configured to include additional systems in order to fulfill various functionalities. Computing system 500 can communicate with other computing devices based on various computer communication protocols such a Wi-Fi, Bluetooth® (and/or other standards for exchanging data over short distances includes those using short-wavelength radio transmissions), USB, Ethernet, cellular, an ultrasonic local area communication protocol, etc.

CONCLUSION

Although the present embodiments have been described with reference to specific example embodiments, various modifications and changes can be made to these embodiments without departing from the broader spirit and scope of the various embodiments. For example, the various devices, modules, etc. described herein can be enabled and operated using hardware circuitry, firmware, software or any combination of hardware, firmware, and software (e.g., embodied in a machine-readable medium).

In addition, it can be appreciated that the various operations, processes, and methods disclosed herein can be embodied in a machine-readable medium and/or a machine accessible medium compatible with a data processing system (e.g., a computer system), and can be performed in any order (e.g., including using means for achieving the various operations). Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. In some embodiments, the machine-readable medium can be a non-transitory form of machine-readable medium. 

What is claimed as new and desired to be protected by Letters Patent of the United States is:
 1. A method of performing security services in a software-defined wide area network (SD-WAN) connecting multiple physical sites of an enterprise, the method comprising: deploying, at a first physical site of the enterprise, an edge device; and configuring the edge device to forward packets from computers at the first physical site that are addressed to destinations outside of the first physical site to a cloud gateway outside of the first physical site and accessible through the Internet, the cloud gateway having an associated cloud web security (CWS) service to perform security scanning for packets, which are from the edge device and are addressed to destinations outside of the first physical site, before the packets are forwarded to the destinations of the packets; wherein the cloud gateway forwards packets to the CWS service along a first tunnel for the CWS service to perform the security scanning on the packets before the packets are forwarded to their destinations, said configuring the edge device comprising (i) configuring the edge device to forward packets to the cloud gateway along a second tunnel through a first link of a first Internet Service Provider (ISP) and (ii) configuring the edge device to dynamically shift to a third tunnel through a second link of a second ISP to forward packets to the cloud gateway.
 2. The method of claim 1, wherein the CWS service performs service insertion for data traffic from the enterprise first network prior to the data traffic being sent to the public Internet.
 3. The method of claim 1, wherein the first tunnel is an IPsec tunnel.
 4. The method of claim 1 further comprising configuring the edge device to dynamically select between the second and third tunnels based on measurement metrics repeatedly taken regarding a state of each tunnel, wherein configuring the edge device to dynamically select between the second and third tunnels comprises said configuring the edge to dynamically shift to the third tunnel.
 5. The method of claim 1, wherein the packets are forwarded to their destinations along the Internet.
 6. The method of claim 1, wherein the physical sites, including the first physical site, comprise branch sites of the enterprise.
 7. A non-transitory machine readable medium storing a program for performing security services in a software-defined wide area network (SD-WAN) connecting multiple physical sites of an enterprise, the program for execution by at least one processing unit, the program comprising sets of instructions for: deploying, at a first physical site of the enterprise, an edge device; and configuring the edge device to forward packets from computers at the first physical site that are addressed to destinations outside of the first physical site to a cloud gateway outside of the first physical site and accessible through the Internet, the cloud gateway having an associated cloud web security (CWS) service to perform security scanning for packets, which are from the edge device and are addressed to destinations outside of the first physical site, before the packets are forwarded to the destinations of the packets; wherein the cloud gateway forwards packets to the CWS service along a first tunnel for the CWS service to perform the security scanning on the packets before the packets are forwarded to their destinations; said set of instructions for configuring the edge device comprising sets of instructions for (i) configuring the edge device to forward packets to the cloud gateway along a second tunnel through a first link of a first Internet Service Provider (ISP) and (ii) configuring the edge device to dynamically shift to a third tunnel through a second link of a second ISP to forward packets to the cloud gateway.
 8. The non-transitory machine readable medium of claim 7, wherein the CWS service performs service insertion for data traffic from the enterprise first network prior to the data traffic being sent to the public Internet.
 9. The non-transitory machine readable medium of claim 7, wherein the first tunnel is an IPsec tunnel.
 10. The non-transitory machine readable medium of claim 7, wherein the program further comprises a set of instructions for configuring the edge device to dynamically select between the second and third tunnels based on measurement metrics repeatedly taken regarding a state of each tunnel, wherein the set of instructions for configuring the edge device to dynamically select between the second and third tunnels comprises said set of instructions for configuring the edge to dynamically shift to the third tunnel.
 11. The non-transitory machine readable medium of claim 7, wherein the packets are forwarded to their destinations along the Internet.
 12. The non-transitory machine readable medium of claim 7, wherein the physical sites, including the first physical site, comprise branch sites of the enterprise. 